[Snort-users] v2.8.4 incorrect logging to MySQL

Jason Brvenik jasonb at ...1935...
Tue Apr 14 17:14:36 EDT 2009


I'd like to clarify, Sourcefire is not saying only use barnyard and
ditch the rest, I am expressing my opinion that snort should only
support one fast output method and that output should be parsed into
whatever other things are desired as a separate process. I see a lot
of good coming from it.

I agree with the sentiment that another supported tool / method /
approach should be made in place of removing that functionality from
the detection engine itself.

Clearly there are people that rely on direct DB write from the engine,
that is fine. While the discussion is being had about output methods
please express why direct output is critical in the face of that
output having limitations on the effectiveness of the engine and
suitable alternatives existing.

I would love to hear the problems being solved by direct DB output and
see a discussion about alternative ways to meet those needs. I would
also like to see the engine focus on detection and have as little
focus as possible on non-detection related activities.

On Tue, Apr 14, 2009 at 4:14 PM, Randal T. Rioux <randy at ...13561...> wrote:
> I've brought up the issue many times here. I started to develop my own
> version when Firnsy over at Securix let me know their intentions. I left
> the issue because it looked like they had a good thing (and still do).
>
> http://www.securixlive.com/barnyard2/index.php
>
> I'm still working on a different type of replacement that supports more
> databases. There's a few things in front of the que right now, but I'd
> like to have something done by summer.
>
> I just don't like the idea of a product/company saying "only use this
> module" when that module is abandoned. If you truly are removing direct DB
> output, then dedicate a resource or two to a "supported" output parser for
> unified2 (which is what I'm focused on).
>
> Randy
>
>
> On Tue, April 14, 2009 1:15 pm, Joel Esler wrote:
>> After talking with Jason, I am going to try and put some bandwidth into
>> testing barnyard2.  See if it comes up for any of the short falls that
>> barnyard1 had. Are any of the barnyard2 developers on this list?
>>
>> J
>>
>> On Tue, Apr 14, 2009 at 12:54 PM, Jason Wallace
>> <jason.r.wallace at ...11827...>wrote:
>>
>>> I'll bite...
>>>
>>> I'd throw in a vote for this too, but out of curiosity... why unified
>>> over unified2?
>>>
>>> Either way, before you could do that there would have to be an
>>> "official" tool to read the binary file and output it to other formats.
>>> By official I mean something supported, documented (right on the snort
>>> web site), and, maintained so we know it will be there tomorrow and
>>> doesn't fade off into nothing like barnyard.
>>>
>>> Right now there are 3 options:
>>>
>>> Barnyard: http://www.snort.org/dl/barnyard/ - Works with unified but
>>> not unified2 - abandon ware - DB connection issues
>>>
>>> Barnyard2: http://www.securixlive.com/barnyard2/index.php - Works with
>>> unified and unified2 - I have seen the same DB connection issues as
>>> with barnyard
>>>
>>> SnortUnified.pm: http://code.google.com/p/snort-unified-perl/ - Works
>>> but not very well documented (no disrespect meant Jason) - Not sure
>>> about the DB connection issue. I have tried to use this a couple of
>>> times, I'm not the best with perl so the lack of doc's left me
>>> scratching my head.
>>>
>>> I wouldn't call any of these official. Recommended, but not official.
>>>
>>> Wally
>>>
>>> On Tue, Apr 14, 2009 at 12:08 PM, JJ Cummings <cummingsj at ...11827...>
>>> wrote:
>>>> /me raises hand.. "I"
>>>>
>>>> On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler at ...1935...>
>>> wrote:
>>>>>
>>>>> Seconded.
>>>>>
>>>>> On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik
>>> <jasonb at ...1935...>
>>>>> wrote:
>>>>>>
>>>>>> Here is my vote to remove all output methods from the engine
>>>>>> except unified, to remove the code complexity. People are much
>>>>>> better off having two dedicated processes achieving a common goal
>>>>>> than they are with the code complexity and issues in the one code
>>>>>> base.
>>>>>>
>>>>>> On Tue, Apr 14, 2009 at 8:31 AM, James Lay
>>> <jlay at ...13475...>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ________________________________ From: Ron Jenkins
>>>>>>> <rjenkins at ...14345...> Date: Mon, 13 Apr 2009 09:21:09 -0500 To:
>>>>>>> 'Joel Esler' <jesler at ...1935...> Cc: James Lay
>>>>>>> <jlay at ...13475...>, Snort
>>>>>>> <snort-users at lists.sourceforge.net> Subject: RE: [Snort-users]
>>>>>>> v2.8.4 incorrect logging to MySQL
>>>>>>>
>>>>>>> We are backing down from v2.8.4 until the new version can
>>> successfully
>>>>>>> write to the sensor and signature tables correctly.
>>>>>>>
>>>>>>> Until Soucrefire truly removes writing to the MySQL database
>>>>>>> and
>>> forces
>>>>>>> unified logging we see no reason to change at this time.  Yes
>>>>>>> the
>>> new
>>>>>>> rule changes are much wanted, but after reading on the mass
>>>>>>> issues on
>>> the
>>>>>>> snort forums with the new version we are holding off on the
>>>>>>> update.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have to chime in and second this.  Though Unified might be
>>>>>>> best,
>>> for
>>>>>>> smaller shops, my perception is that barnyard is an added layer
>>>>>>> of complexity.  I run snort at the house on OS X...pretty much
>>>>>>> to
>>> catch
>>>>>>> the obvious dumb crap coming in from the outside world and to
>>>>>>> catch if
>>> the
>>>>>>> kids machines get something naughty.  Again, larger shops where
>>>>>>> IDS is mission critical should take the extra step, but small
>>>>>>> ones..eh...I’ve
>>> found
>>>>>>> that logging direct to mysql works well enough.  My 0.02 I
>>>>>>> guess.
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>>
>>>>>>>
>>> -----------------------------------------------------------------------
>>> -------
>>>>>>> This SF.net email is sponsored by: High Quality Requirements in
>>>>>>> a Collaborative Environment. Download a free trial of Rational
>>>>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>>>>> _______________________________________________ Snort-users
>>>>>>> mailing list Snort-users at lists.sourceforge.net Go to this URL
>>>>>>> to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>> -----------------------------------------------------------------------
>>> -------
>>>>>> This SF.net email is sponsored by: High Quality Requirements in a
>>>>>> Collaborative Environment. Download a free trial of Rational
>>>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>>>> _______________________________________________ Snort-users
>>>>>> mailing list Snort-users at lists.sourceforge.net Go to this URL to
>>>>>> change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>>
>>>>>
>>>>> -- joel esler | Sourcefire | gtalk: jesler at ...1935... |
>>>>> 302-223-5974
>>>>>
>>>>>
>>>>>
>>> -----------------------------------------------------------------------
>>> -------
>>>>> This SF.net email is sponsored by: High Quality Requirements in a
>>>>> Collaborative Environment. Download a free trial of Rational
>>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>>> _______________________________________________ Snort-users mailing
>>>>> list Snort-users at lists.sourceforge.net Go to this URL to change
>>>>> user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>> -----------------------------------------------------------------------
>>> -------
>>>> This SF.net email is sponsored by: High Quality Requirements in a
>>>> Collaborative Environment. Download a free trial of Rational
>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>> _______________________________________________ Snort-users mailing
>>>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>>>> options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>>>> list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>> -----------------------------------------------------------------------
>>> ------- This SF.net email is sponsored by: High Quality Requirements in
>>> a Collaborative Environment. Download a free trial of Rational
>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>> _______________________________________________ Snort-users mailing
>>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>>> options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>>> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> -- joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>> -------------------------------------------------------------------------
>> ----- This SF.net email is sponsored by: High Quality Requirements in a
>> Collaborative Environment. Download a free trial of Rational Requirements
>> Composer Now!
>> http://p.sf.net/sfu/www-ibm-com__________________________________________
>> _____ Snort-users mailing list Snort-users at lists.sourceforge.net Go to
>> this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
>> archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list